Re: Incrementally deployable secure Internet routing: operator survey

[Matt Harris <matt () netfire net>]

Matt Harris|Infrastructure Lead
816-256-5446|Direct
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.
On Fri, Dec 17, 2021 at 12:51 PM Adrian Perrig <perrig () gmail com> wrote:

> Dear Nanog,
>
> Knowing how challenging it is to apply new technologies to current
> networks, in a collaboration between ETH, Princeton University, and
> University of Virginia, we constructed a system that provides security
> benefits for current Internet users while requiring minimal changes to
> networks. Our design can be built on top of the existing Internet to
> prevent routing attacks that can compromise availability and cause
> detrimental impacts on critical infrastructure – even given a low adoption
> rate. This provides benefits over other proposed approaches such as RPKI
> that only protects a route’s origin first AS, or BGPsec that requires
> widespread adoption and significant infrastructure upgrades.
>
> Our architecture, called Secure Backbone AS (SBAS), allows clients to
> benefit from emerging secure routing deployments like SCION by tunneling
> into a secure infrastructure. SBAS provides substantial routing security
> improvements when retrofitted to the current Internet. It also provides
> benefits even to non-participating networks and endpoints when
> communicating with an SBAS-protected entity.
>
> Our ultimate aim is to develop and deploy SBAS beyond an experimental
> scope. We have designed a survey to capture the impressions of the network
> operator community on the feasibility and viability of our design. The
> survey is anonymous and takes about 10 minutes to complete, including
> watching a brief 3-minute introductory video.
>
>
> https://docs.google.com/forms/d/e/1FAIpQLSc4VCkqd7i88y0CbJ31B7tVXyxBlhEy_zsYZByx6tsKAE7ROg/viewform?usp=pp_url&entry.549791324=NANOG+mailing+list
>
> We thank you for helping inform our further work on this project. We will
> be happy to share the results with the community.
>
> With kind regards
>   Prateek Mittal, Adrian Perrig, Yixin Sun

Adrian,
After viewing the video you included, I'm still not sure what SCION is or
how it works (as best I can tell, a bunch of folks get together, share an
AS border, and just do private AS peering with one another inside, then the
shared AS border does the internet advertising of whatever public networks
they wish?), but it sounds like your proposed monolithic new exercise
wouldn't offer much beyond what could be done by allowing folks to get a
default route VPN to a provider that does strict AS border RPKI ROV
already. Can you describe how this would be better or stronger protection
from any given attack than that, in a meaningful enough way as to make it
worth potentially creating massive bureaucracies and new technical systems
which seems to rely on massive networks of VPNs overlaid over the existing
public internet?

- mdh